Debian-LTS has issued an advisory on January 5: https://www.debian.org/lts/security/2023/dla-3262 The issue is fixed upstream in 4.2.1: https://github.com/smarty-php/smarty/releases/tag/v4.2.1
Status comment: (none) => Fixed upstream in 4.2.1
CVE: (none) => CVE-2018-25047
It was discovered that there was a potential cross-site scripting vulnerability in smarty3, a widely-used PHP templating engine. In Smarty before 3.1.47 and 4.x before 4.2.1, libs/plugins/function.mailto.php allows XSS. A web page that uses smarty_function_mailto, and that could be parameterized using GET or POST input parameters, could allow injection of JavaScript code by a user. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25047 https://www.debian.org/lts/security/2023/dla-3262 https://github.com/smarty-php/smarty/releases/tag/v4.2.1 Updates in core/updates_testing: php-smarty-4.2.1-1.mga8.noarch.rpm SRPM: php-smarty-4.2.1-1.mga8.src.rpm
Assignee: mageia => qa-bugs
Status comment: Fixed upstream in 4.2.1 => (none)CC: (none) => mageia
MGA8-64 MATE on Acer Aspire 5253 No installation issues. As in previoous updates, OK on clean install.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0014.html
Status: NEW => RESOLVEDResolution: (none) => FIXED